In recent years, companies have grown increasingly concerned about their exposure to risk and liability associated with data breaches involving personal information of customers, users, stakeholders, and others (hereinafter referred to collectively as “users” or “end-users”). To conduct most normal business processes, modern companies need to store users' email addresses, telephone numbers, and passwords for the purposes of communicating with users, enabling user account or profile management, and performing security operations such as user identification, (i.e., answering the question “who does this entity claim to be?”), authentication (e.g., answering the question “has this entity proven they are who they claim to be?”), and authorization (e.g., answering the question: “even if authenticated, is this entity permitted to perform the action in question?”).
Unfortunately, the personal information that companies store and rely on is sensitive data. A bad actor can utilize this personal information for a number of purposes. Most obviously, when a company stores an email address and an associated password for a service provided by the company, any other person who gains access to that email address and associated password can access the service and any associated data (e.g., additional personal information, financial information, etc.). As another example, people often use the same username and password combination on a number of different services, and the username for many services is often a person's primary email address. Accordingly, a data breach can result in a bad actor not only gaining access to data and services provided by the compromised company; it can result in the bad actor accessing other services provided by different companies (e.g., resulting in compromised bank accounts, email accounts, cell phone plans, social media accounts, etc.). As yet another example, even when an end-user has been careful to utilize different passwords for different services, a data breach often results in a bad actor acquiring enough personal information to successfully go through a “password recovery” operation, enabling the bad actor to reset passwords to various services. In addition to the risk presented to end-users and the potential reputational damage that a company may suffer from a data breach, the company may be liable for damages incurred by the end-users as a result of the data breach.
Further, a company's exposure to risk and potential liability stemming from storing personal information is not merely theoretical. YAHOO recently suffered a data breach that resulted in compromised personal information including names, email addresses, dates of birth, and telephone numbers for 500 million users, resulting in a legal settlement of $117 million. Similarly, MARRIOT suffered a data breach resulting in compromised personal information for 500 million users and, as of 2019, is being sued for $12.5 billion. As a last example, EQUIFAX recently suffered a data breach resulting in compromised personal information for roughly 150 million users, resulting in an agreement to a settlement of over $700 million.
Note, this background description provides context to facilitate understanding and appreciating the detailed description below. Work of the presently named inventors, to the extent described in this background section (as well as aspects of the background description that may not otherwise qualify as prior art at the time of filing) are neither expressly nor impliedly admitted as prior art against the present disclosure.